Shadow IT’s National Press Conference

The phrase “shadow IT” conjures up images of shady employees secretly using banned cloud services from a supply closet. The reality, however, is that unsanctioned cloud use occurs every day at all levels of an organization, even at the office of the Secretary of State of the United States. The revelation that Hillary Clinton relied on a personal email address during her tenure may have significant political ramifications, but it should not come as a shock to those who have followed the proliferation trend of self-enabled cloud services in the workplace.

While some IT leaders may believe their organizations are hermetically sealed from the cloud, this is an impossible (and undesirable) goal for today’s enterprise. Government agencies are surprisingly similar to private sector companies when it comes to cloud use. Skyhigh’s Q4 report found that the average public sector organization uses 721 cloud services (as compared to 897 in the commercial enterprise), which is still over 10 times more than what IT expects. In many cases, these unsanctioned cloud applications serve a legitimate business need and make employees more productive. But IT still needs visibility to prevent the use of high-risk services and high-risk behaviors in relatively secure services. Let’s dig into the potential security liabilities of Clinton’s personal email address.

In this case, Clinton says she used a personal email address out of convenience. While this may sound frivolous coming from a top diplomatic official, the vast majority of employees make similar decisions every day. It would also be a dangerous fallacy to claim unsanctioned cloud use occurs only among workers ignorant of technology and security. If the CISO of a financial services company can unwittingly use an unapproved cloud service to take notes, then no worker is immune to the productivity and usability benefits of cloud applications.

The latest news with regard to Clinton’s private email divulges that the domain was hosted by a company that was hacked in 2010 and had data redirected to Ukraine. This highlights the risk of shadow IT – users don’t always have the information and knowledge needed to select the most appropriate services when self –enabling. The result is that organizations often have thousand of employees using high-risk cloud services with histories of breaches, compromising legal terms and conditions, or lack of security capabilities. In fact, of over 10,000 cloud services available to users, only 11% encrypt data at rest. In our latest report we listed the top ten most-used services that do not encrypt data at rest. Gmail, Hotmail, and AOL Mail all made the list, indicating that consumer email service providers can be insecure repositories for corporate data. While Clinton used a private server, enterprise employees are much more likely to rely on consumer email services for convenience. In fact, Sarah Palin opted to use a Yahoo! Mail account during her time as governor of Alaska. Her email account was hacked when an attacker reset her password through the security questions on the account, the answers to which were all available by Google search.

So, is the answer to block all unsanctioned cloud services? On the contrary, blocking a service can cause employees to go around IT and find other, often-times worse clouds services that aren’t blocked. The first step is to gain visibility into cloud use and risk, so IT can make data-driven decisions based on actual usage when defining on corporate policies. Security teams should aim for transparent policies and educate users on what constitutes unsafe cloud use. They should also seek to understand the business need behind use of an unsanctioned service and work to enable a secure alternative. In doing so, users will work with IT, not around it, improving the security posture of the organization. Whatever the political outcome of Clinton’s use of private emails for official use, the episode has brought shadow IT into the national spotlight.

Cloud Adoption & Risk in Government Report

For the first time, Skyhigh has quantified the usage of shadow IT in the public sector. Findings include the enforcement gap between what IT intends to block and actual block rates and the top 10 enterprise and consumer cloud services in government.